misp-circl-feed/feeds/circl/misp/587fc1b5-fd10-42e7-8184-637702de0b81.json

352 lines
No EOL
17 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2017-01-18",
"extends_uuid": "",
"info": "OSINT - New Mac backdoor using antiquated code",
"publish_timestamp": "1484768100",
"published": true,
"threat_level_id": "3",
"timestamp": "1484768039",
"uuid": "587fc1b5-fd10-42e7-8184-637702de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#6a0084",
"local": "0",
"name": "ms-caro-malware:malware-platform=\"MacOS_X\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767794",
"to_ids": false,
"type": "text",
"uuid": "587fc232-0348-4488-a667-45b502de0b81",
"value": "The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I\u00e2\u20ac\u2122ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767808",
"to_ids": false,
"type": "link",
"uuid": "587fc240-a794-46ce-ac59-4b0a02de0b81",
"value": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
},
{
"category": "Payload delivery",
"comment": "~/.client",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767836",
"to_ids": true,
"type": "sha256",
"uuid": "587fc25c-5fe0-40f7-84df-638002de0b81",
"value": "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044"
},
{
"category": "Payload delivery",
"comment": "~/Library/LaunchAgents/com.client.client.plist",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767837",
"to_ids": true,
"type": "sha256",
"uuid": "587fc25d-0a48-44dc-a196-638002de0b81",
"value": "83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3"
},
{
"category": "Network activity",
"comment": "The perl script, among other things, communicates with the following command and control (C&C) servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767858",
"to_ids": true,
"type": "ip-dst",
"uuid": "587fc272-e8ac-4372-83b6-4b2402de0b81",
"value": "99.153.29.240"
},
{
"category": "Network activity",
"comment": "The perl script, among other things, communicates with the following command and control (C&C) servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767859",
"to_ids": true,
"type": "hostname",
"uuid": "587fc273-ecb8-47bc-ba0d-4aa102de0b81",
"value": "eidk.hopto.org"
},
{
"category": "Payload delivery",
"comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767908",
"to_ids": true,
"type": "sha256",
"uuid": "587fc2a4-29fc-4bd5-bf7a-637a02de0b81",
"value": "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55"
},
{
"category": "Payload delivery",
"comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d,",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767936",
"to_ids": true,
"type": "sha256",
"uuid": "587fc2c0-2688-4d0a-8264-637f02de0b81",
"value": "b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0"
},
{
"category": "Payload delivery",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767968",
"to_ids": true,
"type": "sha256",
"uuid": "587fc2e0-9bec-4f9e-ade8-b06d02de0b81",
"value": "94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647"
},
{
"category": "Payload delivery",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767969",
"to_ids": true,
"type": "sha256",
"uuid": "587fc2e1-bcbc-4de8-a6d6-b06d02de0b81",
"value": "694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484767997",
"to_ids": false,
"type": "text",
"uuid": "587fc2fd-7a88-4b6d-afb0-b06b02de0b81",
"value": "OSX.Backdoor.Quimitchin"
},
{
"category": "Payload delivery",
"comment": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768039",
"to_ids": true,
"type": "sha1",
"uuid": "587fc327-b678-4803-b15f-b06d02de0b81",
"value": "18957d7549b4e296fcaeb122ff241d9799804fa3"
},
{
"category": "Payload delivery",
"comment": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768039",
"to_ids": true,
"type": "md5",
"uuid": "587fc327-ffb8-420f-9174-b06d02de0b81",
"value": "e4744b9f927dc8048a19dca15590660c"
},
{
"category": "External analysis",
"comment": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768040",
"to_ids": false,
"type": "link",
"uuid": "587fc328-feec-43dc-800c-b06d02de0b81",
"value": "https://www.virustotal.com/file/ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044/analysis/1484569121/"
},
{
"category": "Payload delivery",
"comment": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768041",
"to_ids": true,
"type": "sha1",
"uuid": "587fc329-9298-4b1c-ac87-b06d02de0b81",
"value": "cd42b88569faa946a4b9d6f7408b958dcbcf7554"
},
{
"category": "Payload delivery",
"comment": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768042",
"to_ids": true,
"type": "md5",
"uuid": "587fc32a-4528-458c-91a0-b06d02de0b81",
"value": "9d9cca200dd0e5f9d59225131d5269b0"
},
{
"category": "External analysis",
"comment": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768042",
"to_ids": false,
"type": "link",
"uuid": "587fc32a-60a0-48d1-89d1-b06d02de0b81",
"value": "https://www.virustotal.com/file/83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3/analysis/1484177653/"
},
{
"category": "Payload delivery",
"comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768043",
"to_ids": true,
"type": "sha1",
"uuid": "587fc32b-fcdc-4cec-b22d-b06d02de0b81",
"value": "66e520e18accd92abb4722a6cd6a285981ac5bd1"
},
{
"category": "Payload delivery",
"comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768044",
"to_ids": true,
"type": "md5",
"uuid": "587fc32c-27ec-4800-bc47-b06d02de0b81",
"value": "7bb4f5d962a5b3bb18db9ce08c0b6cbf"
},
{
"category": "External analysis",
"comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768045",
"to_ids": false,
"type": "link",
"uuid": "587fc32d-132c-4c51-9085-b06d02de0b81",
"value": "https://www.virustotal.com/file/bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55/analysis/1484082473/"
},
{
"category": "Payload delivery",
"comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768045",
"to_ids": true,
"type": "sha1",
"uuid": "587fc32d-c1e0-4edb-8e5d-b06d02de0b81",
"value": "3c4904832392e70e415b0520d45ff7a1c93c2c4e"
},
{
"category": "Payload delivery",
"comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768046",
"to_ids": true,
"type": "md5",
"uuid": "587fc32e-7b7c-4acc-a7d4-b06d02de0b81",
"value": "f8e3c8e43593ecbd9b62f6e18c8d6474"
},
{
"category": "External analysis",
"comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768047",
"to_ids": false,
"type": "link",
"uuid": "587fc32f-b3c8-442a-9cda-b06d02de0b81",
"value": "https://www.virustotal.com/file/b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0/analysis/1484326500/"
},
{
"category": "Payload delivery",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768048",
"to_ids": true,
"type": "sha1",
"uuid": "587fc330-7248-49ef-ae67-b06d02de0b81",
"value": "03ab5fdb40db260dbc35aadba202e920e57eb348"
},
{
"category": "Payload delivery",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768048",
"to_ids": true,
"type": "md5",
"uuid": "587fc330-2b6c-4b22-bc05-b06d02de0b81",
"value": "3adf6025eb710f2bf1918ee2f116153d"
},
{
"category": "External analysis",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768049",
"to_ids": false,
"type": "link",
"uuid": "587fc331-05c4-482c-ad41-b06d02de0b81",
"value": "https://www.virustotal.com/file/94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647/analysis/1484177008/"
},
{
"category": "Payload delivery",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768050",
"to_ids": true,
"type": "sha1",
"uuid": "587fc332-6d4c-4786-a7d2-b06d02de0b81",
"value": "1e493ebde7fa77d5ae503aa7758fac87d11da116"
},
{
"category": "Payload delivery",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768050",
"to_ids": true,
"type": "md5",
"uuid": "587fc332-1ae4-4394-8893-b06d02de0b81",
"value": "d4a14a1516d5ec9452a29de24ba85d0e"
},
{
"category": "External analysis",
"comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484768051",
"to_ids": false,
"type": "link",
"uuid": "587fc333-f574-41dc-9c50-b06d02de0b81",
"value": "https://www.virustotal.com/file/694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26/analysis/1484177158/"
}
]
}
}